A two-part blog series by Rhino Security Labs that talks about common issues seen in deployments using AWS Cognito, and how they automated testing and attacking of said issues.AWS Cognito is a front-end solution by AWS for user auth and authorization, typically used for web and mobile apps…
Post from Man Yue Mo at GitHub Security Lab on an RCE in Chrome due to a bug in Chrome’s JIT compiler (TurboFan).As a bit of background, modern browsers will often compile code/functions that are deemed as ‘hotpaths’ (aka executed a lot)…
A buffer overflow vulnerability was introduced in a 2021 patch to glibc’s dynamic loader when processing GLIBC_TUNABLES environment variables.Tunables are basically configuration settings of the runtime that can be set via key/value pairs in the form of key=val…
A rather complex-bug to trigger that was found being exploited in the wild against libwebp’s VP8L compression and was reachable through an iMessage.
Writeup for exploiting an io_uring bug submitted to kCTF (before io_uring was disabled in kCTF).The vulnerability itself was extremely straightforward and was in the handling for IORING_OP_MSG_RING command for signaling another ring…
A fairly simple processing bug in WinRAR resulting in code execution with benign seeming interaction with an archive; unfortunately this one was seen being exploited in the wild to spread malware.
Awesome abuse of an Regex DoS to bypass a security check in MyBB resulting in an RCE.
A bit of an unexpected fault in GCC’s -fstack-protector implementation that meant that the saved return address wasn’t actually protected by the stack-protector on AArch64 in some cases.
Not making encrypted blobs tamper-proof is a pretty classic crypto issue that lead to an arbitrary file-upload and code execution vulnerability in ShareFile. The file upload functionality of ShareFile took a few natural arguments: a filename, an uploadid and a parentid…
The title gives this one away, the header(...) function in PHP will issue a warning (and keep executing) without adding the header to the response if the header contains a Carriage Return (\r), New-Line (\n) or Null-byte (\x00).That functionality may not be new to you as its purpose is to kill response splitting attacks, but @OctagonNetworks presents a fresh twist on this, probably not the first to have the thought but it was a neat idea to me…
A request that isn’t vulnerable until you make it twice.Definitely an interesting edge case that a lot of testing might overlook…
Two vulnerabilities in Jellyfin, which is a media server fork of Emby. They focused on the REST API in the server, and they noticed that the Authorization header seemed to be implicitly trusted in many endpoints despite the fact it could be attacker-controlled.
Two vulns in VirtualBox, an Out-of-Bounds (OOB) write in the TPM module and an OOB read in VGA. Both ultimately come from the Memory Mapped I/O (MMIO) read handlers.
A linux kernel bug in the overlayfs filesystem that can lead to root privilege escalation.For a bit of background, overlayfs allows you to have a filesystem that’s comprised of two layers; an upper layer and a lower layer…
A post by Ophion Security that looks at customer support portals built off Zendesk that have poor configuration such as GitHub.Zendesk supports “placeholders” for tickets, mainly for support agents and automated responses to use for autofilling information, such as the ticket ID, someone’s name, etc…